[web-devel] [Yesod] Re: Next version of WAI: cleaning house

Kazu Yamamoto ( 山本和彦 ) kazu at iij.ad.jp
Wed Jul 24 14:08:47 CEST 2013


Michael,

> I'm definitely not talking about removing the peer information. Request has
> a remoteHost field which is of type SockAddr, and therefore provides both
> remote IP address and port number (the latter, as you mention, being mostly
> useless).

Please understand that I'm not opposing your opinion. I'm just trying
to interpret user's opinions.

> I'm not sure what you mean by telling if communication is encrypted using
> the headers + IP address, can you clarify?

Suppose a Yesod application receives X-Forwarded-For:.

A bad client can insert X-Forwarded-For:. But if an IP address is
provided and the application knows the IP address of the proxy, the
application can tell whether or not the IP address can be trusted.

I'm not sure that there is a standard header field to tell HTTPS.
But if the proxy and the application shares such field:
- The application can truct the field according peer's IP address
- The application can tell the outside HTTP is encrypted

Correct me if I misunderstand.

--Kazu




More information about the web-devel mailing list